What security policy is acceptable for you ...

[mvl]

Most of us have a lot of accounts with services and websites. In some cases no personal information is stored in those accounts, but in other cases we provide data about ourselves that should be safe and secure, like SSN or CC information. I have quite some technical background and spotting obvious bad practises when it comes to security policies has become a bit of hobby. I am curious to see how the rest of you thinks about this.

Some examples:

- Would you find it acceptable if a website allows you to change your password if you can answer some security questions like 'what was the name of your first math teacher'. I think that can be disputed, because the answers can be 'social engineered', and social engineering is a great skill for a hacker.

- Would you find it acceptable if it appears that a site that stored sensitive information, like your credit card number, appears to store your password in clear text in a database?

- Would you find it acceptable if a website (re-)sends you your password via email ?

 

[katherine]

1. That depends, but I guess the answer is yes. The E-mail might no longer work. Especially a free mail account that expired (eg. yahoo) or your previous ISP.
Obviously the user should choose the security questions sensibly. I would add other possible options at signup like cellular number for SMS or backup E-mail address.
2 & 3. No, credit card numbers should be encrypted, passwords should be hashed. Not stored in plain text.

 

[mvl]

So what would you do if it turns out that a service you use is storing passwords unhashed and re-sends them by email on request?

 

[katherine]

a. Try to educate them.
b. If they don't learn (quick), then leave (before disaster strikes).

I admit I haven't tried every registrar yet (if were are talking about a registrar). However the possible bugs and vulnerabilities do often reveal themselves in different ways too.

Also, the fact that they send you a link by E-mail to reset your password (rather than send the password back to you in plain text) is not a guarantee that the password actually is stored in hashed form (non-reversible)
Even when things look OK on the surface you can never be sure...

It reminds of a little story, years ago I booked a hotel room in a Scandinavian country, the website had an SSL-secured form to enter the credit card details, so far so good... the day after I received a confirmation from the clerk by E-mail: the SSL page was little more than a form to E-mail script and all the credit card information was in clear at the bottom of the mail :sigh2:

 

[draggar]

Are you talking about enom?

 

[mvl]

No not Enom

 

[Biggie]

Most of us have a lot of accounts with services and websites. In some cases no personal information is stored in those accounts, but in other cases we provide data about ourselves that should be safe and secure, like SSN or CC information. I have quite some technical background and spotting obvious bad practises when it comes to security policies has become a bit of hobby. I am curious to see how the rest of you thinks about this.

Some examples:

- Would you find it acceptable if a website allows you to change your password if you can answer some security questions like 'what was the name of your first math teacher'. I think that can be disputed, because the answers can be 'social engineered', and social engineering is a great skill for a hacker.

- Would you find it acceptable if it appears that a site that stored sensitive information, like your credit card number, appears to store your password in clear text in a database?

- Would you find it acceptable if a website (re-)sends you your password via email ?

Hi

for me, I look at security as being "non-existent", in that it's a false sense of comfort one feels with divulging any requested or required "personal or credit-related" information....until that security is breached.

a level of comfort could simply be perceived by "how complicated the application process is and how many blank spaces must be filled" to complete it.

where one assumes "if they ask these many questions, then it must be secure"


as "security" has become more of a profit center for "data", and the need for it must always be perceived as relevant.

when in fact, any level of security can be broken, which is why its always has to be updated. (but that too is part of profit margins)


if they gave you two choices at the airport:


1. go thru security as is today


2. no security screening, go straight to gate and take your chances.


which one you think most folks would choose?

 

[draggar]

No not Enom

OK. I tried to reset my password with eNom the other day and they emailed it to me. IMO not very secure.

Security questions is the best way to go - just make sure they have ones that aren't easy.

 

[mvl]

OK. I tried to reset my password with eNom the other day and they emailed it to me. IMO not very secure.

Security questions is the best way to go - just make sure they have ones that aren't easy.

I am talking about Snapnames. I reported the issue with them in November 2012 and nothing has changed. Now Moniker, also a Keydrive company, have a password reset issue and they are telling everybody how important security is for them.

https://www.snapnames.com/forgot_password.jsp not only sends the password in clear text via an insecure protocol (mail), but they also tell you that they are going to send it.

So Keydrive is telling you how they care about security and at the same time give signals that they really don't care.

For who is interested, this has been a well known bad practise for many years, and a solution is not that hard to implement (salted high-entropy hashes are usually part of the solution)

 

[angel69]

I find it appalling that eNom (sorry, Bari and do let them know this is an F- for security) does that in 2013, thank God I don't use them, and they're such a huge registrar. Not acceptable even if they force the customer to reset that new password after signing in the 1st time after that. If a rep did that then kick him out of eNom, but I'm pretty sure it was system-generated

Two registrars (neither of them was eNom btw), both well known and as recently as just a couple of years ago, emailed me my new password and both times that was after they reset it (log-in failures without explanation or they reset it after not logging in for some time) My jaw dropped to the floor because both are popular enough to get mentioned here a lot. And no, I don't have domains with either one anymore, so hackers - don't bother, emails were deleted and my trash was washed with acid after..... :approve: ....and such passwords were both set by the registrars so you wouldn't get to see how my mind works either lol...... :undecided:

OK. I tried to reset my password with eNom the other day and they emailed it to me. IMO not very secure. Security questions is the best way to go - just make sure they have ones that aren't easy.

:jaw:

 

[Biggie]

anybody who craps on enom is just crappin for the hell of it.

been with them since the beginning and never a security issue

comfort level is extremely high, compared to low comfort level of say, godaddy


imo...

 

[angel69]

Biggie, I'm sure this was fired mainly at me lol.... neither of the registrars which emailed me new passwords for my account in the past was eNom, in fact I don't deal with eNom a lot because I can't afford them, and in fairness to them I don't hear often that eNom is not a secure place (but..... I don't hear often that eNom is another Fabulous, Moniker or even TuCows for security either, so .....they may fall in the middle for that, maybe their security is good as you've found in your case, but emailing somebody their FULL password is plain nuts !....)

Draggar said it happened to him just recently and he didn't say it was partially suppressed, so I assume it was actually his own full password, aren't you shocked btw, Biggie ? if they ever do that to you at eNom you'll be up in arms and you'll probably even leave too, trust me...

I wasn't picking on eNom just for kick, I was just comparing another DNF mod's experience to my own, ie real security missteps by registrars sometimes....

anybody who craps on enom is just crappin for the hell of it.

been with them since the beginning and never a security issue

comfort level is extremely high, compared to low comfort level of say, godaddy

imo...

 

[Biggie]

Biggie, I'm sure this was fired mainly at me lol.... neither of the registrars which emailed me new passwords for my account in the past was eNom, in fact I don't deal with eNom a lot because I can't afford them, and in fairness to them I don't hear often that eNom is not a secure place (but..... I don't hear often that eNom is another Fabulous, Moniker or even TuCows for security either, so .....they may fall in the middle for that, maybe their security is good as you've found in your case, but emailing somebody their FULL password is plain nuts !....)

Draggar said it happened to him just recently and he didn't say it was partially suppressed, so I assume it was actually his own full password, aren't you shocked btw, Biggie ? if they ever do that to you at eNom you'll be up in arms and you'll probably even leave too, trust me...

I wasn't picking on eNom just for kick, I was just comparing another DNF mod's experience to my own, ie real security missteps by registrars sometimes....

angel, not directed at you, but a comment to comments posted.


still, you shouldn't be co-signing shit just because another member says "I tried to reset my password with eNom the other day and they emailed it to me. IMO not very secure."

especially, if you haven't had any personal experiences with that registrar.


that's not how "you" come to a conclusion, about the overall security of a service.


after all....
If, you request or try to reset your password, aren't they supposed to email either the original password, or a link to reset it, or a temp password, until you enter a new one?

that is a normal procedure across the board and as such, shouldn't automatically characterize an entity as insecure or less secure because of it.

what's insecure, is when folks forget their logins, then find fault with the registrar because of their own negligence.


how bout that side of the kiz-zoin!




imo....

 

[mvl]

...
If, you request or try to reset your password, aren't they supposed to email either the original password

Well no, that is exactly what they should not do. It implies that passwords are exposed if their systems get compromised. And that happens in the real world, often through SQL injection, but also otherwise. Passwords should never be stored in a readable way.

http://blog.moertel.com/articles/2006/12/15/never-store-passwords-in-a-database

 

[angel69]

It's all cool, Biggie lol, you know eNom much better than most here so .... and I don't dislike or have anything against them, they just bought Name.com (DemandMedia did) btw, and I still have names with Name lol... so I may be logging into the real eNom sooner than I think (and poor Name.com had just given its site a nice facelift and added cool, useful features.... will Name be allowed to keep 'em ? eNom may want to adopt some of that, in fact....but in real life the acquirer usually rules and takes over the "acquiree" completely over time lol)

And I actually should've asked Draggar (#8) if what eNom emailed him was his current password (created by himself previously) or a just a new temp generated by the system. I took it as if what they emailed him was the unencrypted real thing (in full display), but maybe I jumped the gun and it was actually just a temp he was to reset next time he logged in....

In my own two cases btw what they emailed me was my ACTUAL password, those two other registrars (I didn't name them cuz I don't wanna give scammers a leg up here) In one case I hadn't signed in for a few mos and they emailed me the real thing (created by me) The other case was a log-in failure that hadn't been my fault, their system created a new pass but it wasn't a temp for me to reset at the next log-in, it was a permanent one afa they were concerned, which of course I changed immediately ...

:blush:

OK. I tried to reset my password with eNom the other day and they emailed it to me. IMO not very secure. Security questions is the best way to go - just make sure they have ones that aren't easy.

 

[Biggie]

I actually should've asked Draggar (#8) if what eNom emailed him was his current password (created by himself previously) or a just a new temp generated by the system. I took it as if what they emailed him was the unencrypted real thing (in full display), but maybe I jumped the gun and it was actually just a temp he was to reset next time he logged in....

and that, is what you call research or getting the details, instead of just swallowing statements and going off assumptions


not saying draggar was trying to mislead or steer you intentionally or indirectly, but it's how you keep from being mislead or by misleading yourself.


imo...